OWASP Bay Area • April 16, 2026

The AppSec Career Nobody Trained You For

Bruce Fram · CEO, AppSecAI
Slides, resources, and the GRASP framework from the April 16 talk

What This Talk Was About

In 18 months your title might stay the same, but your actual job will be unrecognizable. AI is about to mass-produce both vulnerabilities and fixes faster than any human can review them. The people who figure out how to manage that pipeline will run application security. Everyone else will be writing Jira tickets for an LLM.

This talk covered why the CEO and board suddenly care about AppSec (because software failures can now collapse the economy), what happens when developers stop writing code and start prompting for it, and why the industry's 11-step manual process will never close the gap. We looked at the "Vulnpocalypse" — the reality that the industry finds problems but nobody fixes them — and what the new operating model looks like when you shift from security engineer to automation manager.

Attendees left with the GRASP framework for evaluating whether an AI project is enterprise-ready, a worked example scoring a real open-source project, and a clear picture of the skills that will matter most in the next two years.

The GRASP Framework

Five pillars to evaluate the enterprise-readiness of any AI project

G
Governance
Who controls it, what are the rules, and what does it cost?
R
Reliability
Does the system stay up and produce consistent results?
A
Assurance
Are outputs accurate, relevant, and solving the right problem?
S
Scalability
Can it handle the full workload, not just a pilot?
P
Protection
Is your data safe, and do you trust the providers?

The goal isn't a perfect 25 — it's matching the score to the risk and purpose of the project.

Downloads & Resources

Everything from the April 16 talk — slides, handouts, and tools

📄

Slide Deck

The full presentation from the OWASP Bay Area talk.

PDF Download
📋

GRASP Evaluation Handout

Printable 2-sided reference card with pillar definitions and evaluation matrix.

PDF Download
📝

Session Notes & Transcript

A detailed summary of key talk points and the full session transcript.

PDF Download
🤖

GRASP AI Skill

An AI coding assistant skill that implements GRASP evaluation. Drop it into your workflow to run assessments on any project.

ZIP Download
📖

The AI Security Advantage: Fix Code 10X Faster

The book by Bruce Fram. Attendees receive a free copy.

Free for Attendees
📰

Chris Hughes — "Vulnpocalypse: AI, Open Source, and the Vulnerability Explosion"

The Resilient Cyber article referenced in the talk about why the industry finds problems but nobody fixes them.

External Article

Project OASIS

An open-source initiative vetting AI-generated fixes for 1,000+ SAST findings across open source projects. Get your hands dirty with this stuff before it reshapes your day job.

Join Project OASIS →

Speaker

Bruce Fram

Bruce Fram

CEO, AppSecAI · Founding CEO, Contrast Security

Bruce has run six enterprise software companies over 25+ years of technology shifts. He's more technical than most CEOs — he codes with AI daily — and recently wrote The AI Security Advantage: Fix Code 10X Faster.

LinkedIn ↗ appsecai.io ↗